.png)
In 2025, an attacker published a package on npm called postmark-mcp, a near-exact replica of the legitimate connector that lets AI agents send email through Postmark. Developers who installed it got exactly what they expected: for fifteen versions the package worked flawlessly, quietly accumulating downloads and trust. Then, on September 17, version 1.0.16 shipped with one extra line of code that silently BCC'd every outgoing email - password resets, invoices, internal correspondence - to the attacker's domain. By the time the package was discovered and removed, 1,643 installations had been leaking their mail.
That was the first confirmed malicious MCP server, and there was nothing novel about how it worked. Attackers have been slipping poisoned packages into software supply chains for decades; what changed is the target.
Your software supply chain is everything you didn't write but run anyway: the packages you install, the packages those packages install, the container images, the build tools, the model weights you download. Modern software is mostly assembled rather than written, which is what makes it fast to build - and it's also the deal you sign, because every component you assemble extends your trust to a stranger who maintains it.
A supply chain attack exploits that trust. Instead of breaching your systems directly, the attacker compromises something you willingly install. It's efficient: poison one popular package and you compromise every downstream user at once. The Shai-Hulud worm proved this at scale in late 2025, compromising over 796 npm packages by stealing maintainer tokens and using them to publish more infected versions of itself.
None of this is news to security teams. What is news is what agents did to the blast radius.
AI agents didn't replace the old supply chain; they inherited it whole, and then added new layers of third-party trust on top of it.
1. Dependencies, but deeper. For our State of AI Agent Security report, we audited the lock files of major AI/agent projects against comparable non-AI platforms. The AI projects declared a median of 29 direct dependencies that resolved to 271 installed packages - a 14.6x fan-out, against 2.3x for the non-AI baseline. LangChain is the extreme case, where 7 declared dependencies expand to 271 resolved packages, a 39x fan-out. The agentic AI supply chain now moves more than a billion package downloads a month, and every one of those packages runs in the agent's process, with the agent's shell access, database credentials, and API keys.

Figure 1 · Dependency fan-out: what AI/agent projects declare vs what they actually run, compared to non-AI platforms.
2. MCP servers. MCP servers are the connectors that give agents hands - email, databases, cloud APIs. Of 572 agent config files we found on GitHub, zero pinned a version, and 1,760 configs launch servers with npx -y, which auto-installs the latest version and auto-confirms it on every run. Pinning matters because it decides what happens the day a package turns malicious, whether through a fake replica like postmark-mcp or a compromised maintainer in a Shai-Hulud-style takeover: a pinned config keeps running the version you reviewed, while an unpinned one pulls the poisoned release the moment it's published. That's how postmark-mcp got its 1,643 victims - nobody chose to install version 1.0.16, their agents fetched whatever came next.
3. Skills. Skills are instruction files agents read and follow - and instructions turn out to be a payload. We scanned 206,435 skill files from GitHub and published the full findings in our latest skills blog. For the supply chain story, two campaigns stand out:
4. Model weights. The model your agent runs on is a downloaded file like any other dependency, and the format much of the ecosystem still uses to store it - Python's pickle - can execute arbitrary code embedded inside the file the moment you load it. Despite safer alternatives existing for years, 44.9% of popular Hugging Face models still ship as pickle files, and pickle-format models are downloaded about 2.1 billion times a month (Kellas et al., "PickleBall," ACM CCS 2025). Attackers already exploit this: JFrog researchers found more than 100 models on Hugging Face with malicious code hidden in their pickle files. Hugging Face scans every upload with a tool called Picklescan to catch exactly this, but in 2025 alone researchers disclosed three critical ways to slip a malicious model past it - so a clean scan is not a guarantee of a clean model. Downloading a model means running someone else's code, and most teams still don't treat it that way.
5. Slopsquatting. This layer is unique because the weakness starts inside your own tools. A USENIX Security 2025 study by Spracklen et al., which analyzed 576,000 AI-generated code samples across 16 models, found that AI coding assistants hallucinate package names at rates reaching 21.7% for open-source models, and that 43% of those invented names recur across sessions. That makes them predictable - an attacker can register the packages your AI will recommend next, before it recommends them. It's typosquatting where the machine makes the typo for you, and it has already been exploited in the wild: ReversingLabs found fake PyPI packages impersonating Alibaba Cloud AI services, hiding payloads inside pickle model files, that pulled 1,600 downloads in under 24 hours.

Figure 2 · The agentic supply chain attack surface: four component layers feed the agent; compromising any one inherits everything the agent can do.
A poisoned package in a traditional app steals what that app can reach. A poisoned component in an agent stack lands inside something that holds your API keys, reads your email, executes shell commands, and acts autonomously. Our audit of the 31 most popular MCP servers found 84% lack confirmation gates before destructive operations, and of 206,435 skills we scanned, only 3.6% require human approval before acting. A compromised component in this stack doesn't just get access to your systems; it gets agency over them.
The fixes here are unglamorous, which is exactly why they work:
Every attack in this post passed the checks people actually ran; the compromise arrived after the component was approved. That's the gap Capsule Security closes: a runtime security platform for AI agents that discovers the agents running across your organization, maps what each one can reach, watches their behavior live, and interrupts unsafe actions mid-execution - with no changes to your code, agents, or architecture. An email that suddenly BCCs an unknown domain gets stopped as it happens, not discovered in next quarter's audit.
The numbers in this post are a small slice of our "State of the Agentic AI" report, which goes much deeper into how agents are being built, attacked, and defended. Download the full report here.

Our analysis of 206,435 AI agent skills reveals a rapidly growing software supply chain vulnerable to natural language payloads and dangerous capability combinations. Read the report to understand how these skills bypass traditional security controls and learn how Capsule protects your organization by securing the agent runtime.
.png)
The theoretical phase of agentic AI security is over—the attack surface is real and the incidents are documented. This post breaks down the defensive architecture taking shape in response: Meta's Agents Rule of Two, deterministic enforcement hooks, identity governance for non-human agents, and the questions security leaders need to be asking right now.

The security risks of AI agents are no longer theoretical. This blog examines the active threat landscape facing agentic AI in 2026, from prompt injection and supply chain attacks against MCP and skill registries to the governance gap created by vibe coding and Shadow AI.

Guardian agents are emerging as a critical security layer for the agentic AI era. As enterprises adopt AI agents that execute tools, handle sensitive data, and operate inside real workflows, human approval loops no longer scale. Guardian agents solve this by supervising other agents in real time: monitoring actions, enforcing policy, and blocking risky behavior before execution.
.png)
Capsule found two Cursor IDE vulnerabilities that let hidden prompt-injection instructions in referenced files steal developers’ SSH keys and contaminate future unrelated projects, causing zero-click or one-click exfiltration even when the attacker ships no malicious code.

Capsule Security’s State of AI Agent Security 2026 report is the largest independent audit of AI agents to date, showing that the ecosystem is rapidly shipping publicly exposed, weakly guarded, highly connected agents with recurring misconfigurations, near-absent runtime controls, widespread prompt-injection risk, expanding supply-chain exposure, and active malicious campaigns still propagating through agent skill and tool registries.

Capsule is launching a runtime security platform for the agentic AI era, built to monitor and stop autonomous agents that can bypass traditional guardrails, misuse legitimate access, and create a new class of enterprise security risk.

Capsule research team discover a critical prompt injection vulnerability in Salesforce Agentforce that allows attackers to exfiltrate CRM data through a simple lead from a form submission. No authentication required.